应急响应

1 Windows 应急响应

1.1 文件分析

1.1.1 开机启动项

Use the startup menu in the operating system:

1

C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Use system configuration msconfig:

Utilize the registry:

1

2

HKCU\software\Microsoft\Windows\CurrentVersion\Run

HKLM\software\Microsoft\Windows\CurrentVersion\Run

1.1.2 tmp 临时文件夹

Use cmd, enter %tmp% to open the temporary folder directly

Check whether there are suspicious files (exe, dll, sys) in this folder

1.1.3 浏览器历史记录

Tool address: https://launcher.nirsoft.net/downloads/index.html

browsinghistoryview

browserdownloadsview

1.1.4 文件属性分析

On Windows systems, the time attributes of file attributes have: creation time, modification time, access time (disabled by default). By default, the computer uses modification time as a display.

If the modification time is earlier than the creation time, then this file is very suspicious. Use Chinese kitchen knife and other tools to modify the modification time, and you can view the creation time, modification time, and access time through the file attributes.

1.1.5 最近打开文件分析

The default record of the most recently opened file information on the system in the Windows system.

You can view it in the directory C:\Documents and Settings\Administrator\Recent, or you can use win+R to open and run it and enter %UserProfile%\Recent to view it. Then use the filter criteria in Windows to view the files in the specific time range

1.2 进程分析

1.2.1 可疑进程发现与关闭

The computer communication with the external network is established on the TCP or UDP protocol, and each communication has a different port (0~65535). If the computer is trojanized by a Trojan, it will definitely communicate with the external network. Then you can check the network connection status, find the corresponding process ID, and then close the process ID to close the connection status.

1

2

3

4

5

# Check the network connection status

netstat -ano | find 'ESTABLISHED'

# Check the corresponding programs of the specific PID process

tasklist /svc | find 'PID'

taskill /PID pid value /T Close the process

1.2.2 Window 计划任务

In a computer, you can perform fixed operations at a fixed time by setting a scheduled task. Generally speaking, malicious code may be executed at a fixed time.

Use the at or schtasks command to manage scheduled tasks, and enter at directly to view scheduled tasks saved on the current computer.

It can also be opened in the Scheduled Task Program:

1.2.3 隐藏账户发现与删除

Hide account refers to a computer account that is not easily discovered in the computer system after the "hacker" invasion.

The easiest hidden account creation:

net user test$ test /add net localgroup administrator test$ /add where the $ symbol can cause system administrators to not view the test$ user when using net user.

1.3 系统信息

1.3.1 补丁查看与更新

Windows system supports patches to patch vulnerabilities. You can use systeminfo to view system information and display the corresponding system patch information number. You can also view system patches and third-party software patches in the uninstall software.

1.4 webshell 查杀

Common tools: D Shield

2 linux 分析排查

2.1 文件分析

2.1.1 tmp 目录

Everything is a file in Linux system. where /tmp is a special temporary directory file. Every user can read and write it. Therefore, an ordinary user can perform read and write operations on the /tmp directory.

2.1.2 开机启动项

View the startup item content /etc/init.d/. The malicious code is likely to be set at the startup position.

View the order of files in the specified directory in the order of time: Is-alt| head -n 10

View file time attribute: stat file name

Use update-rc.d program name enable to set up power-on self-start

Use update-rc.d program name disable to prevent startup and boot

2.1.3 文件修改时间搜索

New file analysis:

Find files that have been modified within 24 hours

find ./-mtime 0 -name '*.php'

Find new files within 72 hours

find ./-ctime -2 -name '*.php'

Permission search

find ./-iname '*.php' -perm 777

-iname Ignore case, -perm filter file permissions

2.2 进程分析

2.2.1 网络连接分析

In Linux, you can use netstat to view network connections.

1

netstat -Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships

Commonly used command netstat -pantl View information related to the tcp network socket.

Just close the unknown connection and kill -9 PID.

2.2.2 进程对应的文件

In Linux, you can use ps to view process-related information

Use ps aux to view all process information

Use ps -aux| grep PID to filter out the process information of the specific PID. lsof -i: port number can also achieve similar functions

2.3 登录分析

Operations performed on Linux will be recorded in the system log. For logging in, you can also view the log information to see if there is any abnormal login. last command last -i | grep -v 0.0.0.0 View the login log and filter non-local logins.

w command to view logged in user in real time

2.4 异常用户的分析排查

In Linux, root user is an invincible existence and can do anything on Linux.

Create a new user useradd username

Set password passwd username output password

Set both user uid and gid to 0. (root user uid is 0 gid is 0) just modify the file /etc/passwd

1

2

3

4

5

6

cat /etc/passwd

grep '0:0' /etc/passwd

ls -l /etc/passwd

awk -F: '$3==0 {print $1}' /etc/passwd

awk -F: '$2=='! ”{print $1}' /etc/shadow or

awk -F: 'length($2)==0 {print $1}' /etc/shadow

2.5 历史命令分析

In Linux systems, the commands previously executed by default will be recorded in the /root/bash history file.

Users can use cat /root/.bash_history to view or use history command to view

2.6 计划任务排查

In Linux system, you can use the command crontab to set up tasks.

Among them -e can be used to edit the set scheduled task, -l can be used to view the current scheduled task, and -d is used to delete the scheduled task. Pay special attention to unknown content in planned tasks

2.7 异常 $PAHT 环境变量的排查

Environment variables determine which directories the shell will look for commands or programs. The value of PATH is a series of directories. When you run a program, Linux searches for compile links in these directories.

Modify PATH:

1

2

3

export PATH=$PATH:/usr/locar/new/bin

# This terminal is valid, but it is invalid after restart.

# Only in /etc/profile or /home/.bashrc (source ~/.bashrc) can it take effect permanently.

2.8 后门自动排查 - rkhunter

Rkhunter has the following functions:

System command detection, MD5 verification

Rookit detection

The detection of abnormality of sensitive directories and system configurations in this machine

Installation: apt install rkhunter

Basic use:

1

2

3

rkhunter -check-sk

-c,--check # Check the local system

-sk --sk --skip-keypress # Don't wait for a keypress after each test